§ 26 BlnDSG
Specific Technical and Organisational Measures
(1)to Ensure Lawful Processing
(2)Insofar as the processing of personal data is carried out by automated means, the controller shall, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, take measures to ensure that 1. personal data can be attributed to their source at all times, 2. it can be established who processed which personal data, in which manner and at what time, 3. the procedures for the processing of personal data are fully and currently documented in a manner that can be comprehended within a reasonable time, and 4. the separation of personal data according to the respective purposes and data subjects is possible when providing personal data.
(3)Before a decision on the deployment or a material change to an automated processing of personal data, the technical and organisational measures to be taken shall be determined on the basis of a risk analysis and documented in a data protection concept. In accordance with technological developments and changes in the risks associated with the processing operations, the determination of measures shall be repeated at appropriate intervals.
(4)Where systems and services used for processing pursuant to paragraph 1 are maintained, suitable technical and organisational measures shall be taken to ensure that only the personal data necessary for the maintenance can be accessed. These measures must in particular ensure the following: 1. maintenance may only be carried out by authorised personnel, 2. each maintenance operation may only be carried out with the knowledge and consent of the storing body, 3. the unauthorised removal or transfer of personal data during maintenance shall be prevented, and 4. it shall be ensured that all maintenance operations can be monitored and verified after completion. Insofar as maintenance is carried out by a processor, the contract or legal instrument pursuant to Article 28(3) of Regulation (EU) 2016/679 must contain provisions ensuring that the processor does not transmit personal data that come to its knowledge to other bodies. The performance of maintenance work with the possibility that personal data may come to the knowledge of bodies outside the territorial scope of Regulation (EU) 2016/679 shall only be permissible where it is necessary and, in the case of a transmission, the conditions of Article 45 or 46 of Regulation (EU) 2016/679 are met.
(5)The provisions of Regulation (EU) 2016/679 shall not be restricted by paragraphs 1 to 3. zur Einzelansicht § 26